How to clone a SIM card [not]

I often bump into ads in which somebody states that a company can clone your SIM card, or that some wise-guy has the gear needed to clone a SIM card. A slight variation is made by the ads that state that one can make a SIM card hold more than one SIM card [i.e. if you have two SIMs, you can migrate them into one, thus there will be no need to switch cards when you feel like switching numbers or mobile operators].

Why cloning a SIM card is impossible? [for a usual human being like you and me]

Because a SIM card is a smart card, it has an operating system, a microprocessor and a file system. On top of that, it has a great authentication mechanism that allows the card to determine which actions can be carried out [and which ones cannot] by a specific user. Yes – it is similar to an OS with multiple users, in which an administrator [or root] can do anything, while somebody else [say, Guest] can only read a limited number of files.

A SIM card is made of directories that hold files, each file has its own use, for instance, one of them holds your address book, another one – your SMS archive, etc. These files can be read by us – mobile phone owners.

There are also system files, such as the ones that contain information about the secret keys used by the phone to connect to the mobile network. Such data are critical, and they cannot be changed by the user – i.e. by us.

In order to clone a SIM card, every single file must be read, including the ones that hold the low-level secret information. But, as you’ve probably figured out by now – the card’s protection mechanism will simply not allow that data to be read. Just imagine that you’re logged on as a guest, and you want to copy some files that only an administrator can access. For obvious reasons – you will fail.

So, if you really want to clone a SIM card, you need to “log on as an administrator”. Simple - but not possible for the end-user. Here are some extra facts that should help you understand why things are so.

When you buy a SIM card, the operator gives you the SIM card itself, and several codes: PIN, PUK [sometimes also PIN2, and PUK2]. The card is already formatted, meaning that its file system is created and it already contains some data. The PIN is something that allows you to “log on as a guest” and use the resources such as the address book. So there’s no way you can clone the card - insufficient privileges.

But how do mobile operators make changes to the card?

As stated earlier, a SIM card is just a smart card with a special format. Assume the mobile operator buys a thousand smart cards that are 100% empty. From the very beginning, the card manufacturer gives the provider the so called transport key (a.k.a issuer key), which is what is needed in order to perform any operation with the card. Afterwards, a person from the GSM operator formats the cards, creates the needed files, assigns the PINs, etc. and then the SIM cards end up on the shelves of stores and boutiques.

The conclusion is that the SIM card’s transport key is what you need in order to be able to actually clone it. But the problem is that the key is kept secret, for obvious reasons. Think about all the damage that could be done, all the financial scams, and so on.

So, when somebody says they can clone a SIM card, it is very likely to be a false claim, unless that person is an employee of the mobile operator, and has access to the transport keys. Even in that case, you can be sure that it is illegal, because no employee is allowed to disclose such information and use it for personal purposes.

But what about brute-force attacks?

Those won’t work, because a GSM SIM card [like any other smart card] will lock itself if an invalid PIN is entered a certain number of times. Afterwards, you can still unlock the card with the PUK, but if that fails too – the card will permanently lock itself. Meaning that its data are not available, gone, nada, zilch!

Technically, it is possible, all you need is a SIM card reader (or a PC/SC compliant smart card reader), and a hell of a lot of luck – so that you could guess the right key before the card locks itself. But let’s face it; the chance to succeed is probably much smaller than the chance of a pink unicorn materializing right now, right behind you!

Back to our money-making wise-guys – most often, the ad goes like this:

“SIM card clones, any operator, any country”.

Now that’s a bold statement! If it was just a once in a lifetime deal, somebody who can clone a SIM card of a single operator (where they used to work, but got fired, and now they fight back) – it would’ve been more credible. But being able to clone any SIM card means that all the transport keys of all the mobile operators have been compromised, and nobody noticed that.

Some pseudo-statistics

No, I am not a statistician, but I did do a minor research, which included questioning almost everybody I know (who is technically literate). It turns out that everybody heard about people who clone SIM cards, but nobody has ever seen the process of cloning, or a home-made^ two-in-one SIM card in action.

With that said, ladies and gentlemen, I rest my case.

^ - Strictly home-made, because it makes sense when the operator itself provides such a service [which is not an uncommon thing]

what you say makes some sense,But if you do a bit copy to clone then its irrelevant of the content or file structure as you have no need to acces it you are making a exact dupicate so u need none of the files
in this sense you can copy(clone)the card so you have two exact same cards but as for the other claims i cant say :)

Trode, you'd be right, if you weren't wrong. Smart cards are designed in such a way that you cannot read the raw data in a bit-by-bit fashion.

If you are a programmer, this analogy may work: there's a class with some data in it, the data attribute is private and cannot be accessed by an outsider.
There are some public functions, such as ReadData and WriteData, they will provide access to some parts of the information, if you provide the correct access credentials.

In other words, there is no way to read that information directly, you can only do so through the intermediate functions, which enforce the security rules.

You can try to reverse engineer a SIM card, if you have some sophisticated equipment that can copy molecules :-)

In this case it would be exactly as you describe - you don't care about the data, you don't care about the bits; you just copy atoms from point A to point B.

Ganesh, I think you can try to obtain the key if you work closely with a mobile operator and sign an NDA with them. Otherwise this information is not public and not available to anyone.

The fact is, to clone a SIM all you need is a IMSI & KI information from your existing SIM.

I personally CLONED many SIM-Cards Successfully. Brute-force method worked for me most of the times.

All you need is a Multi-In-One Blank SIM Card & a Card Reader/Writer.

I found its easy to clone the SIM before the Activation takes place.
Means, when you buy a new sim card, usually its NOT activated(Not Ready to USE), when you insert it into your handset 1st time, it will get activated by altering some data inside it.
So b4 putting your new SIM Card into handset, try to clone it. And then insert the cloned one in handset to activate.

Hi
you mentionned that contacts & SMS are accessible for end-user but I bet those data are also secured by PIN ?

I'm just asking because I transfered a phone line from one operator to another, old SIM got locked before I saved all contacts from it (dumb me...) so I bet there is no way to recover those contacts, neither for me nor for any operator with "root" privileges ?

Dear guest - you're right, that data are protected by the PIN code, so without it - there's nothing you can do.

An alternative strategy is to enter a wrong PIN multiple times in order to block the card. Then, if you know the PUK - you can unblock it.

If you don't know the PUK - there is nothing you can do.

shikhar mehta - you're right, billing is always done on the operator's equipment and that info is not kept on the phone, I'll make the necessary updates in the story.
What I meant is that there is a lot of sensitive information which can be used to commit fraud (like placing calls on someone else's behalf).

Anybody can Clone a sim card. The clone (as the name implies) is an exact copy of the information on the other so an EXACT mirror image. To prove I could do it I used G4L (Ghost for linux) and ghosted one card to another put the "new" cloned into my phone and it worked exactley the same as the origonal. I did not need to gain "entry" to the sim OS Why would I? I jst need it to clone bit-by-bit!

thanks for the important info about the sim cards, I was about to purchase one of the so called sim card readers and writers. But now i think i will have no need for that as I have understood the complexity of the sim card operation. It should be true or else there would have been so many people who would have violated personal space and rights. thanks once again.

Freeze the card with nitrogen while it is powered and 'ready to login' inside the phone. Remove it and hack from there.....not easy but has been proven to work with RAM chips to recover impossible to hack passwords. Complicated and risky procedure only for electronic experts.

Actually, Sim cards do not contain the os or the microprocessor. They only contain your phone numbers. I know because I swapped from a Vodafone Sim card in my phone to a orange and the interface was exactly the same, along with the background and all my files except my phone numbers.

as of march 8th this was still possible with a new phone/new sim card from At&t. not sure where this article is getting its information, but the author should educate him/herself a little more before making blanket statements which are false.

sorry to the author if this is offensive, but cloning is not a difficult task as of less than a month ago with all-new technology/security/sim cards the whole bit.

Peter, what you're describing is called a "cold boot attack", I've covered such attacks here: http://lazybit.com/index.php/2008/02/27/protect-cold-reboot-attack-encryption

However, that doesn't help you with SIM cloning in any way. Assume that I started up my phone, entered PIN1, and can access the phonebook, SMS, etc.

To make a full clone, you need to know ADM1, ADM2, ADM3... which I did not enter. Even if you froze my phone and the SIM in it - you won't get anywhere, because the resources protected with ADMx were never unlocked.

CnC fan - SIM cards do contain a processor and an operating system. They are designed to comply with a specification, such that any phone of any brand will be able to use the SIM and provide the same user experience. The interface you saw is the interface of the phone, not the one of the SIM. Actually, the system inside the SIM card doesn't draw windows of any kind, it is responsible for managing access to different files stored inside the card and restricting access to the files that contain sensitive data.
In other words, what you saw is not proof of the fact that there's no OS or processor inside a card, it is proof of the fact that standardization works.

Joe, thanks for the constructive comment, I am not offended because you didn't call me an idiot or anything of that sort :-) Here are more details that will help you see things better.
- I did not say that cloning is not possible, I did say that doing that requires that you have all the access codes for all the files on the card, not just PIN1 or PIN2.
- a mobile operator knows the codes (because they control their cards, don't they?), hence this poses no problem to them.

How exactly did you clone the AT&T card? By giving it to them? Or did you do this yourself? If it is the former - it is not surprising, if it is the latter - I'd like to know more about it.

In the context of education, you can verify my statements by checking the specifications that define how a SIM card must behave in various conditions. The documents you want to look at are:
- GSM 11.11 (for 2G cards)
- ETSI 151 011 (for 3G USIM cards)

Both specs are freely downloadable. If you want more details, let me know.

Most the sim card readers/writers are from china, poorly made and only able to program old non programmed sim cards, like the gold card green card ect. so hacking a pre 2002 card then programming it into a gold card is possible but pointless. there is software that picks up interaction between the phone the sim and the network operator but this as i suspect will only work on poorly secured networks where quantity is more important then quality lets say in a developing nation, some intresting pointers, from the comments.

a lot of Re8L hAcKeRz, turned themselves over to the corporations for a well paid job and all the equipment you ever want to play whit. its better then sitting cracking sim cards for a few thousand pound gain. Munching on burgers and farting up the room without having a bath for a week like a nerd.

now you have Ex Hackers working for one company trying to crack the code of another company. so its like a war between experts to keep the systems secure. Why you think the operators are always changing and amending there tactics equipment firmware ect.

Ahh Bless the PCN days when you just put in a simple code and talked for years on bill gates’s line :)

Hey Ab, these claims are not true. The #90 or 90# story is very old and it seems that the person who wrote the article you referenced to did not do some background research.

In some corporate environments, the settings are such that pressing #90 during a conversation will let your peer dial a number through your company's phone switchboard. Thus you (or your company) has to pay for the call. (note that this is in no way related to cloning SIM cards, you simply let someone place an outgoing call)

To simplify this to the basics:
- the claim is false
- the SIM will not be cloned
- for more details see http://urbanlegends.about.com/library/weekly/aa021898.htm

Personally, I think these rumours simply offend the people of Pakistan (+92 is their area code), because the rumour makes it seem that everybody in that country is a liar or a fraudster. Ahhh.... what a world.